The National Institute of Standards and Technology (NIST) recently announced the selection of a new family of cryptographic algorithms called ASCON, which have been developed for lightweight cryptography applications. In this blog, we will explore what lightweight cryptography is and why it is worth considering for specific Internet of Things (IoT) use cases.

In summary, lightweight cryptography aims to make symmetric cryptography as small and energy efficient as possible, while maintaining sufficient security so that short-lived or low-cost devices can still be operated securely. Think of it this way: does an IoT lightbulb require security comparable to AES-256 to be turned on or off? Does an RFID card that has a lifetime measured in a few years, and is used for cafeteria payments, require security against quantum computer attacks? They of course need robust security, just not at the same level as some applications require.

The common consensus is that 128-bit is an acceptable security level for most use cases: secure against classical computers for the foreseeable future, but not secure enough to be considered post-quantum secure. This is what NIST chose as the targeted security level for their Lightweight Cryptography standardization effort. But why is a new algorithm needed? After all, AES-128, SHA-256 and SHA3-256 all address this security level and are very widely deployed and supported.

Anyone looking at infrastructure installation will know how important interoperability concerns are. But when it comes to IoT, there are enough devices where every gate saved on a chip helps to make the product viable and where every nano Joule saved extends precious battery lifetime. Compared to supporting AES-128 on those devices, it is often much easier to add an additional algorithm to the aggregator chip that collects data from multiple IoT devices and communicates with the backend servers.

If DPA countermeasures need to be considered, this is even more true. Neither AES-128 nor HMAC-SHA2-256 are particularly easy to protect against DPA attacks. The scientific community has made great gains in designing DPA-friendly symmetric algorithms since AES and SHA-2 were developed. NIST has recognized this, and the lightweight cryptography competition, in which ASCON was selected to become the standard, was designed to find an algorithm that provides both AEAD (Authenticated Encryption with Additional Data) and hash functionality at optimal cost, not just in software and hardware implementations, but also when DPA countermeasures are required. For a detailed look at the ASCON algorithm, download our recent white paper Lightweight Cryptography: An Introduction.

As we have seen, lightweight cryptography can be a valuable tool for providing security in area and power constrained IoT devices. As a leading provider of cryptographic IP cores, Rambus can support customers implementing the ASCON algorithms with the ASCON-IP-41 Crypto Engine IP core. The ASCON-IP-41 Crypto Engine supports the two primary algorithms proposed under the ASCON family: ASCON-128/HASH and ASCON-128A/HASHA, for both authenticated encryption with AEAD and HASH modes of operation. To learn how the engine works and learn about potential use cases, visit the Rambus website.


Bart Stevens

Bart Stevens

  (all posts)
Bart Stevens is senior director of product management for cryptography at Rambus.